Chat now with support
Chat with Support

Active Roles 7.2.1 - Exchange Resource Forest Management Administrator Guide

Deprovision

The Deprovision process performs the deprovision operation on the shadow account once the master account is deprovisioned. This causes Active Roles to execute the deprovisioning policies that are in effect on the shadow account to deprovision the linked mailbox of the master account. Note that the mailbox deprovisioning policies must be applied to the container that holds shadow accounts rather than master accounts.

In Active Roles, you can undeprovision the deprovisioned master account. However, this may not undeprovision the shadow account (and, therefore, undeprovision the linked mailbox). For undeprovisioning master accounts to have an effect on shadow accounts, the container that holds deprovisioned master accounts must be in the scope of the Policy Object provided by Exchange Resource Forest Management.

AutoProvision of distribution list manager

Solution Overview > Understanding the solution > AutoProvision of distribution list manager

Exchange publishes distribution lists as mail-enabled groups in Active Directory. Such groups are listed in the Global Address List (GAL) and can be administered using Microsoft Outlook. Thus, Outlook can be used to add or remove members from a distribution list provided that the Outlook user is allowed to update the membership list of the respective group in Active Directory.

With Active Roles, an administrator can delegate the membership management task on a group to the account that is designated as the manager of the group. This can be done by specifying the manager’s account on the Managed By page and then selecting the check box to allow the manager to update the membership list of the group. Both the group and the manager’s account must be in the same Active Directory forest.

In the Exchange resource forest topology, where mail-enabled groups are located in the forest other than the forest containing user accounts, delegating the membership management task in this way is not feasible. To address the problem, Exchange Resource Forest Management synchronizes the manager setting for a shadow account on a group in the Exchange forest with the respective master account in the accounts forest, causing Active Roles to give the necessary rights to the master account.

If a user account (master account) in an accounts forest is configured to have a mailbox in the Exchange forest, and thus has a shadow account in the Exchange forest, the Managed By page can be used to give the master account the right to manage the membership list of a group. When you specify the shadow account as the manager of the group and select the check box to allow the manager to update the membership list, Exchange Resource Forest Management causes Active Roles to change security settings on the group so that the master account is authorized to add or remove members from the group.

Hence, on the Managed By page, you need to specify the shadow account rather than the master account. This requires a tool that would enable you to identify the shadow account. Exchange Resource Forest Management customizes the Active Roles Web Interface by adding a new entry to identify the shadow account. You can tell the shadow account’s name and other properties from the Shadow Account tab on the Exchange Properties page for the master account.

Mailbox type conversion

Solution Overview > Understanding the solution > Mailbox type conversion

You can use Active Roles to convert a linked mailbox to a user mailbox, and vice versa, by managing the mailbox in the Exchange forest.

For linked mailboxes in the Exchange forest, the Active Roles Web Interface provides a command allowing you to unlink the mailbox from the external user. The command converts the mailbox to the user mailbox type, and enables the user account associated with the mailbox in the Exchange forest. The external user can no longer access the mailbox.

Foe user mailboxes in the Exchange forest, the Web Interface provides a command allowing you to link the mailbox to an external user from an accounts forest. The domain of the external user account must be registered with Active Roles (managed domain). The command converts the mailbox to the linked mailbox type, with the mailbox user in the Exchange forest configured as the shadow account and the external user specified as the linked master account.

For step-by-step instructions, see Mailbox type conversion later in this document.

Technical description

Solution Overview > Technical description

Exchange Resource Forest Management extends the mailbox management capabilities of Active Roles in the case of resource forest topology. This topology option assumes that you have:

  • At least one Active Directory forest containing logon-enabled user accounts for your organization, referred to as an accounts forest. The accounts forest does not have Exchange Server installed, nor does it need to have the Active Directory schema extended with the Exchange Server attributes.
  • An Active Directory forest with Exchange Server, referred to as the Exchange forest, to hold mailboxes for user accounts from the accounts forest.
  • Trust relationships configured so that the Exchange forest trusts the accounts forest.

With Exchange Resource Forest Management, you can use Active Roles to:

  • Create a mailbox for a user account from the accounts forest.

    You can create a mailbox when creating a user account in the accounts forest. It is also possible to create a mailbox for a user account that already exists in the accounts forest. As a result, Active Roles creates a disabled user account (shadow account) with a linked mailbox in the Exchange forest, and associates the shadow account and the mailbox with the user account (master account) held in the accounts forest.

  • View or change mailbox properties, and perform Exchange tasks, on a user account from the accounts forest (master account) that has a linked mailbox in the Exchange forest.

    The pages for managing the master account include all Exchange properties and tasks that are normally available when the mailbox resides in the same forest as the managed user account. With Exchange Resource Forest Management, Active Roles synchronizes the Exchange properties displayed or changed on the pages for managing the master account with the properties of the linked mailbox.

  • View or change the personal or organization-related properties of the master account while having them synchronized to the respective properties of the shadow account.

When you use Active Roles to change the personal or organization-related properties of the master account, Exchange Resource Forest Management causes Active Roles to apply the changes to those properties of the shadow account as well. This function ensures correct information about the master account in the Exchange address lists.

  • Deprovision a master account while having Active Roles deprovision the master account’s mailbox in the Exchange forest.

When you deprovision a master account, Exchange Resource Forest Management causes Active Roles to apply the deprovisioning policies to both the master account and shadow account. As a result, Active Roles makes all the necessary changes to deprovision the mailbox. You can revert these changes by undeprovisioning the master account.

  • Delegate Exchange mailbox management tasks by applying Access Templates to containers that hold master accounts.

For example, you can apply the “Exchange - Recipients Full Control” Access Template to a container in the accounts forest, which enables the delegated administrator to create, view or change linked mailboxes in the Exchange forest by managing master accounts held in that container.

  • Enable a master account to update membership list of a distribution group held in the Exchange forest.

When you make a shadow account the manager or a secondary owner of a distribution group and allow the manager or secondary owners to update membership list, Exchange Resource Forest Management ensures that the corresponding master account has sufficient rights to add or remove members from that group using Exchange clients such as Microsoft Outlook or Outlook Web App.

Exchange Resource Forest Management also enables Active Roles to provide all these administrative capabilities for linked mailboxes created by Active Roles with an earlier version of Exchange Resource Forest Management or without Exchange Resource Forest Management, or created by tools other than Active Roles. Exchange Resource Forest Management schedules Active Roles to search the managed domains for linked mailboxes whose master account:

  • Is in the scope of the Exchange Resource Forest Management policy for mailbox management
  • Does not have a reference to the shadow account expected by Exchange Resource Forest Management

For each master account that meets these conditions, Active Roles updates the master account with a reference to the shadow account, thereby extending the capabilities of Exchange Resource Forest Management to that master account and its linked mailbox. As a result, the linked mailbox falls under the control of Exchange Resource Forest Management.

Related Documents